Logging in with certificates issue

[Paul Gildea]

Hi,

I'm trying to log in over HTTPS via certificate with my browser and it
doesn't work. I've followed this setup process and checked that the
verification is correct:

https://gerrit.openbmc.org/plugins/gitiles/openbmc/docs/+/ef6af2726cdd976a6d767e569fabd639f8abb6d2/security/TLS-configuration.md

Checking the logs I see this output:

Nov 22 14:35:33 vm3 phosphor-certificate-manager[215]: Certificate install,
> FILEPATH:/tmp/Cert
> s.Adv311/cert.pem
> Nov 22 14:35:33 vm3 systemd[1]: Reloading Start bmcweb server...
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Check if host is
> running
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Host is running!
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Received signal that
> host is running
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Change to Host
> State: xyz.openbmc_projec
> t.State.Host.HostState.Running
> Nov 22 14:35:33 vm3 systemd[1]: Reloaded Start bmcweb server.
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Check if host is
> running
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Host is running!
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Received signal that
> host is running
> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Change to Host
> State: xyz.openbmc_projec
> t.State.Host.HostState.Running
> Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Certificate
> install, FILEPATH:/tmp/Cert
> s.jDVxEN/cert.pem
>
> *Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Error occurred
> during X509_verify_cert**call, checking for known error, ERRCODE:20,
> ERROR_STR:unable to get local issuer certificate*
> Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Certificate
> compareKeys, FILEPATH:/tmp/
> Certs.jDVxEN/cert.pem
> Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Inotify callback to
> update certificate
> properties
> Nov 22 14:36:16 vm3 systemd[1]: Reloading Start bmcweb server...
> Nov 22 14:36:16 vm3 systemd[1]: Reloaded Start bmcweb server.



Noting the error and looking at a build based on old code from a few years
ago I get the same error in the logs, but it does log in with the
certificate anyway.

Reading the code, there looks to be a trusted chain bypass for certain
issues, including this one, but from my understanding this still shouldn't
log in over HTTPS, and the newer behaviour is correct? If so, any idea what
might be wrong?

Thanks,
Paul

-- 




This message is intended solely for the person or entity to which it is 
addressed and may contain confidential and/or privileged material.  If you 
have received this message in error, please send it back to us, immediately 
and permanently delete it, and do not use, copy or disclose the information 
contained in this message or in any attachment.



Klas LTD (Company Number 
163303) trading as Klas, an Irish private company limited by shares, with 
its registered office at One Kilmainham Square, Dublin 8, Ireland D08 ET1W.





Klas Telecom Inc., a Virginia Corporation with offices at 1101 30th 
St. NW, Washington, DC 20007.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20241127/5473155a/attachment.htm>